The host cloudlet server (IP address: 192.168.1.2) is running an Instance (IP address: 10.11.12.2). I have created a java TCP client (IP: 192.168.1.3) and want to connect to the Instance from the client machine via TCP/IP socket. However, I could not connect the Instance from my client. I notice that I can ping the client machine from the Instance but not the reverse way. Is there any thing that I should configure in Horizon dashboard? I appreciate your suggestion.

Under the compute panel, there is an item for Access & Security. If you click that, you will see tabs in the main pane for Security Groups, Key Pairs, etc. If you click on Security Groups you should be presented with the list of available security groups. You likely only have the default security group, but if not, you should ensure that you are editing the security group that the instance belongs to. If you click on the Manage Rules button for the security group you are interested in, it will take you to a list of existing rules. You may already have a rule for ICMP if pinging your VM instances is successful. Here you can add a custom TCP rule that will allow your Java client to connect. You just have to specify an address range and the port that the client connects on. Once you have created this rule the traffic on that port will be allowed to flow through to the instance.

The ICMP rule looks like it was configured to use a security group (default) instead of a CIDR. I have had trouble in the past using a security group for rules. When i would specify the same rules with a CIDR range instead of a security group, they would work fine. Perhaps you could rewrite the rule to use the same CIDR you have in your TCP rule?

You shouldn't need a floating IP for ingress onto the VMs. You do need a floating IP however, if you want the VM instances to get outside (i.e. to the internet).

If you want to create a floating IP block you can do so with nova floating-ip-bulk-create . Then you can assign a floating IP on the instances panel.

I didn't notice this initially, but the Java client, is it running on another machine? I see you mention a different IP (192.168.1.3) than the host that the VMs are running on (192.168.1.2). If you want to VMs to be accessible outside of the host they are running on then you will need to assigning a floating IP to your VMs. use 'nova floating-ip-bulk-create ' to create a range of available public addresses for your VMs. Then in the Instances panel, you can Associate Floating IP for the VM where you have the service running. After you do this, you should be able to address the VM using the floating IP that was assigned and the port it is listening on (according to your rules, it looks like port 22). When you create the floating ip range and assign your instances one, OpenStack will setup IP tables that will direct traffic to the private IPs that the VMs are given 10.12.12.x and vice versa for the other direction.

Ya, Java client is on another machine (IP 192.168.1.3), and the host VM is running on different machine. I have created a range of floating IPs and associated it to the VM instance. The VM instance can ping the floating IP but unfortunately the host and Java client can not ping the floating IP. When the host ping the floating IP, it shows:

Ping: sendmsg: Operation not permited

I have security group with the rule of ALL TCP, ALL ICMP, ALL UDP. Do I need to change anything in nova.conf? Thanks.

I don't think you should have to alter nova.conf in any way. Let's back up for a minute. From the OpenStack node (the physical host where the VMs are running) can you ssh to the VM instance where you are running this service? This would be using the 10.11.12.x IP. Does this host have one or two network interface cards? If it only has one, did you create a virtual NIC and specify both of them in local.conf before you installed DevStack (see the comment in local.conf for an explanation on how to do this)?